I have noticed a lot of activity from Windows anti-virus and MSSearch (indexing). Is it possible to use the Process Restrictions system to block these.

I can probably record a list of the anti-virus executables then programatically discover the Process IDs as required; but I wonder if Windows/Anti-Virus tools will see this as virus-like behaviour which will lead to other problems.

I would like to prevent the unnecessary reads. I think re-implementing as a Shell Namespace Extension rather than a disk would do the job but I will lose other features that way.

The problem with the process restriction mechanism can be if some of these utilities work on the kernel mode level in the context of the "SYSTEM" process (which PID is 4). Many other kernel components also perform I/O requests in the context of this process. So blocking of it can cause some problems.

Perhaps it's better to analyze what a process is opening a file/directory in the OnCreate/OnOpen callback (see the GetOriginatorProcessName and similar CBFS methods) and throw the access denied error. This causes the process won't obtain a handle to the file and won't be able to do any other operations.

You can take Process Monitor from syinternals.com and investigate what behavior these utilities have.

We use cookies to help provide you with the best possible online experience. By using this site, you agree that we may store and access cookies on your device. You can find out more about and set your own preferences here.